Self-Service Module 12.0 User Guide: Entrust® Identityguard

Entrust® IdentityGuard
Self-Service Module 12.0
User Guide
Document issue: 4.0
Date of issue: November 2018

© 2018 Entrust Datacard Ltd. All rights reserved.
Entrust is a trademark or a registered trademark of Entrust,

Inc. in certain countries. Entrust is a registered trademark of
Entrust Datacard Limited in Canada. All Entrust product
names and logos are trademarks or registered trademarks
of Entrust, Inc. or Entrust Datacard Limited in certain
countries. All other company and product names and logos
are trademarks or registered trademarks of their respective
owners in certain countries.
This information is subject to change as Entrust reserves

the right to, without notice, make changes to its products
as progress in engineering or manufacturing methods or
circumstances may warrant.
Export and/or import of cryptographic products may be

restricted by various regulations in various countries.
Export and/or import permits may be required.
2 Self-Service Module 12.0 User Guide

TOC
About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Revision information .......................................... 6
Documentation conventions .................................... 8
Note and Attention text ................................... 8
Obtaining documentation ...................................... 9
Documentation feedback .................................. 9
Obtaining technical assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Entrust IdentityGuard Self-Service application overview. . . . . . . . . . . . . . . . .13

Entrust IdentityGuard Self-Service overview . . . . . . . . . . . . . . . . . . . . . . . . 14
What you can do . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Multi-language interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Self-registration walk-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Starting the self-registration walk-through . . . . . . . . . . . . . . . . . . . . . . . . . 18
Registering using Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Self-administration walk-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Starting the self-administration walk-through . . . . . . . . . . . . . . . . . . . . . . 32
Self-administration actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Updating your personal information . . . . . . . . . . . . . . . . . . . . . . . . . 41
Changing your questions and answers . . . . . . . . . . . . . . . . . . . . . . . 43
Unlocking a locked authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Enrolling and managing your biometric data . . . . . . . . . . . . . . . . . . 47
Administering your grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Administering your hardware token . . . . . . . . . . . . . . . . . . . . . . . . . 57
Administering your soft token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Changing or recovering your Entrust IdentityGuard password . . . . . 80
Administering machine secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Requesting new OTPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Administering your smart credential . . . . . . . . . . . . . . . . . . . . . . . . . 87
Reset your physical smart credential PIN . . . . . . . . . . . . . . . . . . . . . 95
Administering your digital ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Administering location history . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Reset your Entrust IdentityGuard password from the Self-Service login
page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Unlock your Active Directory account or reset your Active Directory
password from the Self-Service login page . . . . . . . . . . . . . . . . . . . 169
4 Self-Service Module 12.0 User Guide Document issue: 4.0

About
About this guide

The Entrust IdentityGuard Self-Service User Guide provides detailed walkthroughs of
the Entrust IdentityGuard Self-Service user interface.
5
Revision information
Table 1: Revisions in this document
Document issue Section Description

and date
4.0 “To log in to Self-Service” on Updates to support Self-Service Module
page 32 Release 12.0 Patch 101055.
November 2018
Support for combined multifactor
authentication for Self-Service login.
3.0 “To log in to Self-Service” on Updates to support Self-Service Module
page 32" Release 12.0 Patch 57210.
October 2017
“Reset your Entrust IdentityGuard Support for push authentication as
password from the Self-Service second factor for Self-Service login.
login page” on page 167
“To activate your hardware Updated screen capture with serial
token” on page 57 number location on new tokens.
“To activate your hardware Note below step 3 about identifying
token” on page 57 token vendor.
“To activate your hardware Users are required to name a token only
token” on page 57 if they have more than one.
“To activate your physical smart Added a note about browser support for
credential” on page 87 "over-the-web"(OTW) operations that
depend on Java applets.
“Reset your physical smart Added procedures
credential PIN” on page 95
2.0 “Password reset and unlock” on Updates to support Self-Service Module
page 15 Release 12.0 Patch 25611.
July 2017
“Reset your Entrust IdentityGuard
password from the Self-Service
login page” on page 167
“Unlock your Active Directory
account or reset your Active
Directory password from the
Self-Service login page” on
page 169
“Multi-language interface” on
page 16 (now supports Japanese)

Report any errors or omissions
Table 1: Revisions in this document (continued)
Document issue Section Description

and date
1.0 All sections First release of this guide for Entrust
IdentityGuard Self-Service Module,
March 2017
Release 12.0.
About this guide 7

Documentation conventions
Following are documentation conventions that appear in this guide:
Table 2: Typographic conventions
Convention Purpose Example

Bold text  Indicates graphical user Click Next.
(other than interface elements and
headings) wizards
Italicized text Used for book or Entrust TruePass 7.0 Deployment Guide
document titles
Blue text Used for hyperlinks to Entrust TruePass supports the use of many types
other sections in the of digital ID.
document
Underlined blue Used for Web links For more information, visit our Web site at
text www.entrust.com.
Note and Attention text

Throughout this guide, there are paragraphs set off by ruled lines above and below
the text. These paragraphs provide key information with two levels of importance, as
shown below.
Note: Information to help you maximize the benefits of your Entrust product.
Attention: Issues that, if ignored, may seriously affect performance, security, or

the operation of your Entrust product.

Obtaining documentation
Entrust product documentation, white papers, technical notes, and a comprehensive
Knowledge Base are available through Entrust TrustedCare Online. If you are
registered for our support programs, you can use our Web-based Entrust Datacard
TrustedCare online support services at:
https://trustedcare.entrustdatacard.com
Documentation feedback
You can rate and provide feedback about Entrust product documentation by
completing the online feedback form. You can access this form by
• clicking the Report any errors or omissions link located in the footer of
Entrust’s PDF documents (see bottom of this page).
• following this link: http://go.entrust.com/documentation-feedback
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrustdatacard.com
About this guide 9

Obtaining technical assistance
Entrust recognizes the importance of providing quick and easy access to our support
resources. The following subsections provide details about the technical support and
professional services available to you.
Technical support
Entrust offers a variety of technical support programs to help you keep Entrust
products up and running. To learn more about the full range of Entrust technical
support services, visit our Web site at:
http://www.entrustdatacard.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust TrustedCare Online offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://trustedcare.entrustdatacard.com
If you contact Entrust Customer Support, please provide as much of the following
information as possible:
• Your contact information
• Product name, version, and operating system information
• Your deployment scenario
• Description of the problem
• Copy of log files containing error messages
• Description of conditions under which the error occurred
• Description of troubleshooting activities you have already performed
Telephone numbers
For support assistance by telephone call one of the numbers below:
• 1-877-754-7878 in North America
• 1-613-270-3700 outside North America
Email address
The email address for Customer Support is:
support@entrustdatacard.com

Professional Services
The Entrust team assists e-businesses around the world to deploy and maintain secure
transactions and communications with their partners, customers, suppliers and
employees. We offer a full range of professional services to deploy our e-business
solutions successfully for wired and wireless networks, including planning and design,
installation, system integration, deployment support, and custom software
development.
Whether you choose to operate your Entrust solution in-house or subscribe to hosted
services, Entrust Professional Services will design and implement the right solution for
your e-business needs. For more information about Entrust Professional Services
please visit our Web site at:
http://www.entrust.com/services
Training
Through a variety of hands-on courses, Entrust delivers effective training for
deploying, operating, administering, extending, customizing and supporting any
variety of Entrust digital identity and information security solutions. Delivered by
training professionals, Entrust's professional training services help to equip you with
the knowledge you need to speed the deployment of your security platforms and
solutions. Please visit our training website at:
https://www.entrustdatacard.com/resource-center/training
About this guide 11

1
Entrust IdentityGuard Self-Service

application overview
The Entrust IdentityGuard Self-Service Module supplies an application for use with
Entrust IdentityGuard. It allows you to perform many Entrust IdentityGuard
registration and administration tasks that administrators would otherwise have to
perform for you.
This guide introduces the Self-Service application, and shows what you will see when
using Self-Registration and Self-Administration.
Note: Entrust IdentityGuard Self-Service Module supports Google Chrome™,

Mozilla Firefox, Microsoft® Internet Explorer, and Apple Safari (versions available
at the time of this Entrust product release). Login and self-administration
functionality are also supported on the Android, iPhone, BlackBerry browsers.
13
Entrust IdentityGuard Self-Service overview
Entrust IdentityGuard protects your organization’s online resources by providing the
capability of verifying your identity to the server. To allow you to be recognized by
Entrust IdentityGuard when you log in, you must be registered; that is, you must have
an Entrust IdentityGuard account.
The Self-Service application allows you to register for an Entrust IdentityGuard user
account without help from a system administrator. If you already have an account
and authentication items, such as a token, grid card, or smart credential, you may be
required to register using the Self-Service application so that you have access to
Self-Administration features.
After you have registered, you can access the Self-Administration interface. Using
Self-Administration, you can perform many administration tasks yourself, depending
on the way your administrators have configured Self-Service for your organization.
What you can do

You log in to the Self-Registration application as instructed by your system
administrator. Depending on the log in method used by your company, you may use
your Entrust IdentityGuard user ID and password, or you may log in using another
method configured in your company.
Self-Registration
After you log in to the Self-Registration application, you are prompted to set up
information for your authentication methods. Depending on how your company has
configured the registration application, you may do some or all of the following tasks
as part of self-registration to Entrust IdentityGuard:
• Enter contact information (either email addresses or telephone numbers or
both) for use in sending one-time passwords (OTP).
• Select a mutual authentication image.
• Enter a mutual authentication phrase.
• Select questions and enter answers for Question and Answer (Q&A)
authentication.
• Register for a grid, hardware token, or soft token.
• Download the Entrust IdentityGuard Mobile OTP app for using soft tokens
on mobile devices.
• Download the Entrust IdentityGuard Desktop Soft Token application for
using soft tokens on a Windows or Mac computer.
• Register for an Entrust IdentityGuard password.

Self-Administration
The next time you log in to Self-Service, you will be directed to Self-Administration.
You will see a list of actions you are allowed to perform, including some or all of the
actions in the following list:
• Request a new grid, hardware token, soft token, or digital ID
• Activate a new grid, hardware token, soft token, or smart credential
• Report a grid, hardware token, soft token, or smart credential misplaced or
found
• Report a grid, hardware token, soft token, or smart credential permanently
lost, and request a new one
• Unlock a challenge-response token
• Unblock a soft token or smart credential PIN
• Recover a forgotten personal verification number (PVN)
• Change or recover a password
• Change questions and answers.
• Change mutual authentication image or caption
• Change or add contact information
• Request additional one-time passwords for future use
• Enroll fingerprints for biometric authentication
Password reset and unlock

What if you forget the password you use to log in to Self-Service? A link on the login
page can initiate the password reset procedure. Also, if your organization uses Active
Directory passwords for Self-Service login and you have locked your account by
entering the wrong password too many times, you can use the link on the login page
to initiate the password unlock procedure. Find out more about these features in
“Reset your Entrust IdentityGuard password from the Self-Service login page” on
page 167 and “Unlock your Active Directory account or reset your Active Directory
password from the Self-Service login page” on page 169.
The following chapters walk you through the Self-Registration interface and the
Self-Administration interface. You may not see all of these screens, depending on
how the applications are configured for your company.
Entrust IdentityGuard Self-Service application overview 15

Multi-language interface
To help ensure user success with Self-Registration and Self-Administration tasks, your
administrator can configure Self-Service to display pages in numerous languages. If
configured, you see a language selector on every Self-Service page.
If you have JavaScript disabled in your browser, you must click the Change button in
addition to selecting a language from the list.
When you access Self-Service again from the same browser on the same device,
Self-Service remembers your language preference from the previous session. (If you
use Self-Service from a public kiosk, or if your administrator has turned off this
feature, the language of your last session might not be remembered.)

2
Self-registration walk-through
This chapter walks you through the screens you will see when you register for an
Entrust IdentityGuard account using the Self-Service application.
You may not see all of the screens or all the features on the screens displayed in this
chapter; the registration requirements shown to you during registration depend on
which authentication factors your company uses.
17
Starting the self-registration walk-through
Open a Web browser, and log in to Self-Service at the URL supplied by Entrust
IdentityGuard administration in your company. Use the login method and log in
credentials supplied with your log in instructions.
Registering using Self-Service

This section includes the following procedures:
Note: The following is an example of the sequence of steps you follow to

register. Your company may have customized the registration to add or remove
steps. In addition, customizations to the appearance may mean that the screens
you see are not exactly as those shown in these procedures.
• “To log in to Self-Service for registration” on page 19

• “To enter your personal information” on page 22
• “To select your mutual authentication image and phrase” on page 25
• “To enter your questions and answers” on page 26
• “To download and activate Entrust IdentityGuard soft tokens” on page 29
Note: Entrust IdentityGuard Self-Service Module supports Google Chrome™,

Mozilla Firefox, Microsoft® Internet Explorer, and Apple Safari (versions available
at the time of this Entrust product release). Login and self-administration
functionality are also supported on the Android, iPhone, BlackBerry browsers.

Logging in to Self-Service
The Log in screen shown in the following procedure uses the Entrust
IdentityGuard password login; this may not be the starting screen you see if your
administrator has configured an alternate type of first-factor authentication. If
you are instructed to use Entrust IdentityGuard user ID and password, the screens
you see may still look different if your company has customized the Self-Service
application to use your company logo and colors, for example.
To log in to Self-Service for registration

1 Open a browser and enter the URL provided by your Entrust IdentityGuard
administrator.
The login screen appears.
2 If your administrator has configured Self-Service to display more than one
language, and you wish to use Self-Service in a language other than the one
displayed by default, select the language from the drop-down list. (If JavaScript
is not enabled on your browser, you must also select the Change button after you
choose a language.)
The page displays text in the selected language

3 Log in to Self-Service.
Self-registration walk-through 19
Depending on the method of first-factor authentication configured for you, you
may be offered the one of the following login methods:
• password login
• one-time password (OTP) login
Complete the steps for the type of first-factor login challenge presented to you.
Login method Steps to log in

Password login 1 If more than one type of password
is supported in your organization,
select your password type from the
drop-down list. Your administrator
can tell you the type of password to
use.
2 Enter your user name and
password.
3 If your administrator has told you to
specify a group or searchbase at
login, select if from the Group or
Searchbase drop-down list.
4 Select Log In.
OTP login 1 If your administrator has sent you

an email or text message with a
one-time-password to log in to
Self-Service, select the Let me use
an OTP to log in link.
2 Enter your user name.
3 Copy the OTP from the email or
text message you received and
paste it in the Password box.
4 Select Log In.

Depending on Entrust IdentityGuard policies in place, you may be prompted to
change the password.
4 If prompted to change your password, enter the Current Password given to you
by the Entrust IdentityGuard administrator, and then enter and confirm your new
password. Create your new password using the Password Rules at the right to
guide you.
The Personal Information screen appears. This screen displays any information
that already exists for you.
Entering your personal information

If configured to collect personal information, the registration procedure includes a
section that allows you to enter your full name and your contact telephone numbers
and email addresses.
If your company’s Self-Service application is configured to send one-time passwords
(OTP), then the applicable contact information — either telephone number or email
address — is mandatory.
To enter your personal information

1 The Personal Information screen appears as shown below. This screen will display
any information that already exists for you.
In Full Name, enter your full name if it is not already displayed.
Full Name may be optional, or may not be included in your installation. It may
also be read-only, in which case it will display the information already available in
Entrust IdentityGuard.

Note: If contact information is not included in your company’s configuration,
you will not see the contact information section of the interface, even if you have
contact information in your user record.
2 From the drop-down menu labeled Please choose a label, select the email or
telephone number title you want to enter as contact information. In this example,
two of the options are Work Email and Work Phone.
3 In the Value field next to your first label, enter the applicable telephone number
or email address.
Contact information serves two purposes: it allows the administrator to reach
you, and it can also be used for the delivery of one-time passwords (OTP).
Note: If you enter a telephone number, click Telephone Number Format (in the
blue bar on the right side of the screen) to see the telephone number entry rules.
4 Optional. In the Default column, select one contact information entry as the
default way to contact you.
Attention: If the contact information you select as the default is not associated
with the one-time password (OTP) delivery method your company uses, then
OTP delivery will fail (unless you are given the opportunity to specify the
destination where the OTP should be sent at the time you request that an OTP
be delivered out-of-band).
For example, if you select Work Phone as your default contact information, and
your company sends OTP using email, then you will not receive an out-of-band
OTP.
If you expect OTP delivery, and it fails, contact the administrator.
5 Proceed to “To select your mutual authentication image and phrase” on page 25.
Selecting your mutual authentication image and phrase

If mutual authentication has been configured in your company’s implementation of
the Self-Service application, then you have the opportunity to select an image or
phrase or both.
When you log in next time and in future, you will see the mutual authentication
image and phrase you selected. If you recognize the image and phrase as those you
selected, you can proceed to log in.
Attention: If you do not recognize the image or the phrase when logging in, do
not continue. Contact your system administrator.

To select your mutual authentication image and phrase
1 On the Personal Information screen, scroll down to the mutual authentication
area.
2 Click on your chosen image.

3 In Mutual Authentication Phrase, enter a phrase that you will remember.
You will see the Mutual Authentication image and phrase at your next log in; this
will show you that you have arrived at the right URL.
4 Click Next.
The Questions & Answers screen appears.
5 Proceed to “To enter your questions and answers” on page 26.
Entering questions and answers for Q&A authentication

Registration using Self-Service includes setting up questions and answers that will be
used to authenticate you when other methods of authentication are not available.
Question and answer authentication is the default second-factor authentication
mechanism if none of the other authentication methods are available to you.
The number of questions you are asked depends on your company’s configuration.
You may also be asked to create one or more questions for yourself. You should enter
questions and answers that will be difficult for others to guess.
To enter your questions and answers

1 Select questions and provide answers as requested.
Your Questions & Answers screen may show a different number of questions,
depending on how your Entrust IdentityGuard administrators have configured
Self-Service.
2 Depending on the Self-Service configuration, you may be required to define one

or more questions of your own, and provide answers.
3 Click Next.

The Additional Authentication Types screen appears. It lists any additional
authentication methods you have been automatically assigned. This list varies,
depending on your company’s Self-Service configuration.
Note: Entrust IdentityGuard may be configured to require Personal Verification

Numbers (PVN) for use with grid, token, or OTP authentication.
If a PVN is required for authentication, and if you have an email account
configured, your PVN will be emailed to you when you finish registering.
This example screen shows that both a grid and a token have been assigned to
this user. This would be quite unusual — normally companies use either grid or
token, but not both. Both are assigned to the example user in this guide to allow
you to see all the options for both.
Attention: If you have been issued a grid or hardware token, there may be a
time limit for activating it. Contact your Entrust IdentityGuard administrator to
find out how long you have to activate your grid or hardware token.
4 Click Next.
Your registration to Entrust IdentityGuard is now complete. The
Self-Administration authentication challenge screen appears.
5 Answer the authentication challenge presented to you.

In this example, you are asked to answer a grid challenge. Your screen may
include different challenges you can choose if you do not yet have your grid; in
this case, one-time password challenge or question & answer challenge are
offered. Depending on what type of authenticator you usually use for
second-factor authentication, you could be offered one or more of the following
choices of alternate second-factor authenticator: question and answer challenge,
one-time password challenge, grid card challenge, or token challenge.

The Self-Administration Actions screen appears.
6 Proceed to “Self-administration walk-through” on page 31 to begin

self-administration.
Using soft tokens with the Entrust IdentityGuard Mobile

application or Entrust IdentityGuard Soft Token application
If Entrust IdentityGuard soft tokens have been configured in your company’s
implementation of the Self-Service application, then you have the opportunity to
download the Entrust IdentityGuard Mobile OTP app or Entrust IdentityGuard
Desktop Soft Token application and activate the soft tokens in it.
To download and activate Entrust IdentityGuard soft tokens

1 If you are using soft tokens with:
• a mobile device, see the Entrust IdentityGuard Mobile User Guide for more
information.
• a Windows or Mac computer, see the Entrust IdentityGuard Desktop Soft
Token User Guide (Windows or Mac version, as appropriate) for more
information.
Using smart credentials with the Entrust IdentityGuard Mobile
Smart Credentials application
If Entrust IdentityGuard mobile smart credentials have been configured in your
company’s implementation of the Self-Service application, then you have the
opportunity to download the Entrust IdentityGuard Mobile Smart Credential app and
activate a smart credential on a mobile device.
For more information about activating and using Entrust IdentityGuard mobile smart
credentials, see one of the following:
• Entrust IdentityGuard Mobile Smart Credentials User Guide
• help file in the app
• device-specific user guides hosted on the Entrust Mobile Web page:
– For Apple iOS devices: http://www.entrust.com/mobilesc/ios-guide/
– For Android devices: http://www.entrust.com/mobilesc/android-guide/

3
Self-administration walk-through
This chapter walks you through the screens you will see when you log in to the
Self-Service Module Self-administration interface.
You may not see all of the screens displayed in this chapter; the screens displayed
depend on which authentication methods your company uses, and what actions your
company’s Self-Service configuration allows.
This chapter includes the following sections:
• “Starting the self-administration walk-through” on page 32—describes
various methods of logging into Self-Service for the first time
• “Self-administration actions” on page 40—provides some of the many
self-administration actions that users can perform through Self-Service.
31
Starting the self-administration walk-through
Log in using the log in method and credentials supplied by the Entrust
IdentityGuard system administration in your organization.
To log in to Self-Service
1 Open a web browser, and enter the Self-Administration URL provided by your
Entrust IdentityGuard administrator (this is the same URL you used to register).
The login screen appears.
2 If your administrator has configured Self-Service to display more than one
language, and you wish to use Self-Service in a language other than the one
displayed by default, select the language from the drop-down list. (If JavaScript
is not enabled on your browser, you must also select the Change button after you
choose a language.).
The page displays text in the selected language

3 Log in to Self-Service.
Depending on how your system is configured, you could be offered one of the
following login methods:
• password login, followed by a second form of authentication challenge

• one-time password (OTP) login, which might be followed by a second form
of authentication challenge
• smart credential login using a physical or mobile smart credential, which is a
one-step authentication
• combined multifactor authentication login, which evaluates first- and
second-factor authentication challenges at the same time. This method
complies with the Payment Card Industry Data Security Standards.
Complete the steps for the type of login challenge presented to you:
• “Password login” on page 33
• “OTP login” on page 34
• “Smart credential login” on page 35
• “Combined multifactor authentication example.” on page 36

Password login 1 If more than one type of password
is supported in your organization,
select your password type from the
drop-down list. Your administrator
can tell you the type of password to
use.
2 Enter your user name and
password.
3 If your administrator has told you to
specify a group or searchbase at
login, select if from the Group or
Searchbase drop-down list.
4 Select Log In.
You have completed first-factor
authentication. Next you will be
challenged with a different type of
authenticator, for example, a grid
card, token, or a confirmation from
a mobile app (mobile soft token or
mobile smart credential. Go to
Step 4 on page 36.
Note: Can’t remember your password?
See “Reset your Entrust IdentityGuard
password from the Self-Service login
page” on page 167.
Self-administration walk-through 33
OTP login 1 Select the Let me use an OTP to log
in link.
2 Enter your user name.
3 If your browser and email or
messages are on the same device,
copy the OTP from the email or text
message you received and paste it
in the Challenge box. Otherwise,
enter the OTP manually in the
challenge box.
4 Select OK.
You have completed first-factor
authentication. Next you might be
challenged with a different type of
authenticator, for example, a grid
card, token, or a confirmation from
a mobile app (mobile soft token or
mobile smart credential. Go to
Step 4 on page 36.

Smart credential login 1 Place your physical smart credential
on the reader or connect your
mobile smart credential to your
computer over Bluetooth or NFC.
2 In the Smart Credential Log In
section, select Log In.
If you have more than one smart
credential, you see a list.
3 Select the smart credential you want
to use to log in, enter you smart
credential PIN, and select OK.
With this type of authentication,
that’s all you need to do to log in to
Self-Service. You go directly to the
Self-Administration Actions page.
Skip to “Self-administration
actions” on page 40.
Note: If you use the Mobile Smart
Credential app, but not for login to a
computer, use push authentication. See
“Second-factor authentication with a
push authentication challenge” on
page 39.
Combined multifactor authentication example. Note: If you do not yet have a
second-factor authenticator to do
combined authentication, click Sign up
for Multifactor Authentication and
follow the on-screen instructions.
4 Enter your user name (and, if
required, your group (or
searchbase, or realm) and click OK.
5 On the next page, respond to the
first-factor and second-factor
challenges presented.
Because second-factor challenges
could be time sensitive (such as
mobile soft token push
authentication), the second-factor
challenge is displayed first. Respond
to the second-factor challenge, and
then enter for your first-factor
authenticator (your password).
This example shows a grid card
challenge, but second-factor
authenticators used for combined
authentication could be a grid card,
a mobile soft token, hardware
token or a one-time password
(OTP). Step 4 describes how to
respond to each of those types of
challenges. (Other parts of step 4
do not apply to combined
multifactor authentication.)
When first-and second-factor
authenticators are evaluated by
Entrust IdentityGuard and both are
successful, you go directly to the
Self-Administration Actions page.
Skip to “Self-administration
actions” on page 40.
4 Complete a second-factor authentication challenge.

After completing first-factor authentication with a name and password or an
OTP, or as part of combined authentication, Self-Service presents a second-factor
authentication challenge. It could be one of many types. Examples of how to

proceed with some of the possible second-factor authenticators are described
here.
Second factor authentication with mutual authentication, grid card, OTP, or

questions and answers
The following section describes the mutual authentication challenge and the
grid-card challenge. It also provides back-up options in case you don’t have your
grid card available. What you see depends on your organization’s configuration,
so what follows might not be exactly what you see.
The Self-Administration challenge screen appears.
When you see the mutual authentication image and phrase you selected earlier,
you can feel confident that you have contacted an Entrust IdentityGuard
application, and that it is safe to respond to the next challenge.
a If you have a grid, enter the grid coordinates requested, and click OK.
OR
b If you do not have your grid — you may have forgotten it at home — click
either one-time password challenge or question & answer challenge, for an
alternative way of authenticating.
– If you click one-time password challenge, you are prompted to confirm
your choice. You may change your mind and request a question & answer
challenge instead.
– Click OK.
The OTP Challenge screen appears. Check your email (or voice mail if your
OTP is delivered by telephone). The OTP email looks something like this:
– Copy and paste the OTP into the challenge screen.

– Click OK.
OR
c If you select question & answer challenge, the following screen appears.

– Enter the answers you entered when you registered.
– Click OK.
Self-Service displays the Self-Administration Actions page. To find out more
about the available actions, see “Self-administration actions” on page 40.
Second-factor authentication with a push authentication challenge

If your organization uses the Entrust IdentityGuard Mobile Soft Token app or the
Entrust IdentityGuard Mobile Smart Credential app, or both, you might be presented
with this kind of challenge after you enter your user name and password on the Self
Service login page and select the Login button.
a Self-Service advises you that a notification has been sent to your mobile app.
Open your Entrust IdentityGuard Mobile Smart Credential app or your
Entrust IdentityGuard Mobile Soft Token app.
b In the app, select the notification and read the authentication challenge.
c Select the Confirm button on the app.
Self-Service displays the Self-Administration Actions page. To find out more

about the available actions, see “Self-administration actions” on page 40.
5 Click Done on the Self-Service page and close your browser after completing a
Self-Service session.
Self-administration actions
There are many administration actions you can perform for yourself, depending on
how the Self-Service application is configured in your company. Some options you
see here may not be available depending on your administrator’s configurations. The
following procedures walk you through how they work.
The topics in this section include:
• “Updating your personal information” on page 41
• “Changing your questions and answers” on page 43
• “Unlocking a locked authenticator” on page 45
• “Enrolling and managing your biometric data” on page 47
• “Administering your grid” on page 52
• “Administering your hardware token” on page 57
• “Administering your soft token” on page 70
• “Changing or recovering your Entrust IdentityGuard password” on page 80
• “Administering machine secrets” on page 84
• “Requesting new OTPs” on page 86
• “Administering your smart credential” on page 87
• “Administering your digital ID” on page 105
• “Administering location history” on page 164
• “Reset your Entrust IdentityGuard password from the Self-Service login
page” on page 167
• “Unlock your Active Directory account or reset your Active Directory
password from the Self-Service login page” on page 169

Updating your personal information
Use the following procedures to view and update personal information such as full
name, telephone numbers and email addresses.
To update your personal information

1 Log in to the Self-Service application. See “To log in to Self-Service” on page 32.
2 In the following screen, click I’d like to update my personal information.
The Personal Information screen appears.
You can update your full name, your contact information, and your mutual
authentication image and phrase from this screen. For more information, see “To
enter your personal information” on page 22 and “To select your mutual
authentication image and phrase” on page 25.
3 Make the changes as required.
4 Click OK, or click Cancel to undo any changes you have entered.
An updated Self-Administration Actions screen appears, confirming that your
personal information has been updated.

Changing your questions and answers
Use the procedure that follows to change your question-and-answer pairings.
To change your questions and answers

1 Log in to Self-Service. See “To log in to Self-Service” on page 32.
2 In the following screen, click I’d like to change my question and answer pairings.
The Questions & Answers screen appears.
3 Select new questions or change the answers currently shown. In the
User-Defined Questions section, you can enter new questions and answers.
4 After you have made your changes, click OK.
questions and answers have been updated.

Unlocking a locked authenticator
Use the procedure that follows to unlock one or more locked second-factor
authenticators.
To complete this procedure:
• you must have more than one Entrust IdentityGuard second-factor
authentication method
• at least one of your authenticators must be locked due to too many failed
authentication challenges using that authenticator (for example, too many
wrong responses to a grid challenge
• your administrator must have enabled this option
To unlock one or more locked authenticators

1 Log in to Self-Service using first-factor authentication.
A message indicates that one or more of your second-factor authenticators is
locked, and presents a challenge for an authenticator that is not locked.
2 On the Self-Administration Actions page, click I’d like to unlock my locked
authenticators.
3 Self-Service displays a message confirming that all your authenticators have been
unlocked. Click Done to end your session.

Enrolling and managing your biometric data
Use the procedures in this section to enroll and update your fingerprint biometric
data.
Enrolling fingerprints
Enrollment of fingerprints for biometric authentication is done as part of the
installation of the Entrust IdentityGuard Desktop for Microsoft Windows client. The
client allows you to use biometric (fingerprint) authentication to log in to your
Windows computer.
Before you begin this procedure, ensure that you have the following prerequisites:
• the Fingerprint Enrollment Client installation package (it is part of the
installation package for Entrust IdentityGuard Desktop for Microsoft
Windows.
• a fingerprint scanner connected to your computer
To enroll fingerprints
1 Install Log in to Self-Service. See “To log in to Self-Service” on page 32.
The Self-Administration Actions page appears.
2 Click I’d like to enroll for fingerprint biometric authentication.

An enrollment page appears.

3 Click Capture Fingerprint Data.
A green light appears on the fingerprint reader. After a few seconds, the
fingerprint enrollment client appears on you Windows desktop.
4 Click the image of the finger for which you want to enroll a fingerprint. The
fingers that are circled are recommended, however, you can enroll any
fingerprints or those specified by your system administrator.
A green circle appears around the finger you selected.
5 Place and hold that finger on the fingerprint scanner.
6 Watch the software, waiting for a green box to appear around the finger.
7 Remove your finger.

8 Repeat three times with the same finger.
9 Click a different finger in the software and repeat the fingerprint scan three times
for that finger.
10 When you have done two fingers, click Next. (You can enroll more fingers, if you
want.)

A success message appears.
11 Click Finish.
12 Go back to the Self-Service page and click Next.
13 Click Done.
You have now enrolled fingerprints to be used for biometric authentication.
Administering your grid
Use the procedures in this section to administer your own grid. You can report it
misplaced, found again, or lost permanently.
To report your grid misplaced or forgotten

2 In the following screen, click I’ve temporarily forgotten or misplaced my grid.
The following confirmation screen appears.

3 Click Yes to put your grid on hold, and receive a temporary PIN for use until you
find your grid.
The Temporary PIN Distribution screen appears.

4 Your temporary PIN will be emailed to you, if email is configured. Select the email
address to which to send the temporary PIN. In this example, you can select
either Home Email or Work Email.
5 Click OK.
6 The Self-Administration Actions screen appears, with new options that reflect
your current state. An example list of actions is shown below.
7 Check your email inbox for an email containing your temporary PIN. You can use
your temporary PIN for authentication until you find your grid.
To report that you have found your misplaced grid
1 Log in to Self-Service. See “To log in to Self-Service” on page 32. Use your
temporary PIN, Q&A, or one-time password (OTP).
2 In the Self-Administrative Actions screen, click I’ve found my grid and would
like to start using it again.
A Grid Challenge screen appears. Depending on your company’s configuration,

you may be prompted for a PVN as well.
3 Enter the requested grid numbers, and click OK.
grid is now successfully reactivated.

To report your grid permanently lost
Note: Use this procedure if you are certain you will not find or retrieve your grid,
or if you think its security is compromised because someone may have had time
to copy it.
1 Log in to Self-Service. See “To log in to Self-Service” on page 32. Use your
temporary PIN, Q&A, or one-time password (OTP).
2 In the Self-Administrative Actions screen, click I’ve permanently lost my grid or
think it’s been compromised.
A confirmation screen appears.
3 Click Yes.
4 The New Grid Distribution screen appears.
5 Read the screen carefully. It will tell you what alternate authentication you will
use while you wait for your new grid. If you have a valid email address in your
contact information, your temporary PIN will be emailed to you. If your company
uses eGrids, your new eGrid will be emailed to the email address you select.
6 Select the email account you want the temporary PIN or eGrid sent to.
7 Click OK.
9 Check your email inbox for an email containing your temporary PIN or eGrid. If
your company does not use eGrids, use your temporary PIN for authentication
until your new grid arrives.

Administering your hardware token
Use the procedures in this section to activate or reset your existing token, or request
an additional one. You can also report it misplaced, lost, or broken.
Depending on the configuration used by your company, you may not have to activate
your token before you use it.
• “To activate your hardware token” on page 57
• “To report that you have temporarily misplaced your hardware token” on
page 60
• “To report that you have found your hardware token” on page 61
• “To synchronize your hardware token” on page 63
• “To report that you have permanently lost your hardware token or it is
damaged” on page 65
• “To change the name of your hardware token” on page 68
To activate your hardware token

2 In the Self-Administrative Actions screen, click I’d like to activate my token so I
can start using it.
3 Click Yes.
The Token Activation screen appears.
If the Enter your token serial number field appears, enter the serial number you
see on your token. To find the location of the serial number on your particular
type of token, refer to the graphics to the right of the Token Activation screen.
It shows several supported tokens, and illustrates the location of the serial
number on each.
Note: In the very unlikely event that token serial numbers are not unique across
token vendors, a user is prompted to select the token vendor from a list.
4 If the Token Name field appears, enter a name that describes your token. For
example, John might call his token John’s Banking Token. Typically you need

to name a token only if you have more than one. Otherwise a default name is
applied.
5 In the Enter your token’s response field, enter your token response (the number
that appears when you press the button on your token).
6 Click OK.
Note: If activation of your token also requires a synchronization, then you are
prompted to synchronize the token as part of activation. 
Activation may also require that your PVN be changed—the PVN change will not
be saved if the token is synchronized automatically. You will be prompted to
change the PVN the next time you log in.

token is now active.
Note that the self-administration actions list now includes more options for
administering your token.
To report that you have temporarily misplaced your hardware token
2 In the Self-Administrative Actions screen, click I’ve temporarily forgotten or
misplaced my token.
The confirmation screen appears.
3 Click Yes.

The Temporary PIN Distribution screen appears.
4 Select the email account from the drop-down list. The temporary PIN is emailed
to the account you select.
5 Click OK.
7 Check your email inbox for an email containing your temporary PIN. Use your
temporary PIN for authentication until you find your token and reactivate it.
To report that you have found your hardware token

2 In the Self-Administrative Actions screen, click I found my token and would like
to start using it again.
The Token Recovery screen appears.
3 Press the button on your token. Enter the number that appears.
You may also be required to enter your PVN, depending on your company’s
configuration.
Note: If your token needs resetting at this point, see “To synchronize your
hardware token” on page 63.
4 Click OK.

token is now successfully reactivated.
To synchronize your hardware token

2 In the Self-Administrative Actions screen, click I’d like to try synchronizing my
hardware token since it doesn’t appear to be working.
3 Click Yes.
The Token Synchronization screen appears.
The number of responses you must enter are different for different types of
tokens, and also depend on your company’s Self-Service configuration. In this
example, you must enter two responses.
4 Press the token button. Enter the number that appears in Token Response 1.
5 Cancel the current number on the token, or wait for it to disappear.
6 Press the token button. Enter the number that appears in Token Response 2.
7 Click OK.

token has been reset.
To report that you have permanently lost your hardware token or it is

damaged
2 In the Self-Administrative Actions screen, click I’ve permanently lost my token
or it’s damaged.
3 Click Yes.

The New Token Distribution screen appears.
4 Select the email account. The temporary PIN is emailed to the account you select.
5 Click OK.
An updated Self-Administration Actions screen appears.
To change the name of your hardware token
2 In the Self-Administrative Actions screen, click I’d like to change the name
associated with my hardware token.
The Rename Token page appears.

3 Enter a new name for the hardware token and click OK.
A success message appears.
You have now renamed your hardware token.
Administering your soft token
To download the Entrust IdentityGuard Mobile OTP application
2 In the Self-Administrative Actions screen, click I'd like to request a soft token.
3 On this page, do the following:

a Click Yes if you already downloaded the Entrust IdentityGuard Mobile OTP
app.
b Click No if you have not yet downloaded the Entrust IdentityGuard Mobile
app to your mobile device.

c If you click No, you see the following page.
4 Do the following on this page:

a Select I haven't attempted to download the Entrust IdentityGuard Mobile or
Soft Token application yet.
b Do one of the following:
– If you are viewing Self-Service from the device on which you want to install
a soft token, click the Secure HTTPS Download link. If it does not work,
click the Regular HTTP Download link.
OR
– If you are viewing Self-Service from a device that is not the one on which
you want to install a soft token, you can have Self-Service send an email to
an email account that you can access on the target device. The email
contains with both the Secure HTTPS Download and Regular HTTP
Download links.
When you click one of the links, the download page appears on your device. The
download page might have different links and wording from the one shown here.
This example is for downloading the Entrust IdentityGuard Mobile OTP app.
5 Select the link that corresponds to your device.
Note: On Android, during the download, you are asked whether you want the
app to have a permission called "System tools: prevent phone from sleeping".
You must allow this permission in order for the app to run as intended.
Note: On BlackBerry, during the download, you may be asked whether you
want to grant the app 'Trusted Application Status' or individual permissions. If
you are asked to grant Trusted Application Status, answer Yes to allow the app
to run as intended. If you are asked for individual permissions, answer Yes to the
following permissions:
- Phone
- Internet
- Device Settings
- Media
6 After the app has downloaded, Entrust IdentityGuard appears on your mobile
device or your computer.

To activate a soft token
In Self-Service, after you download the Entrust IdentityGuard Mobile OTP app or
the desktop soft token application, a page like the following one appears. The
page you see might not have all the options shown here. If only manual
activation is enabled, you do directly to Step 5.
1 Select any option to read more about it on the Self-Service screen.

Option 1 results in automatic activation by selecting a button in Self-Service. Go
to Step 2,
Option 2 results in automatic activation by selecting a link in an email message.
Go to Step 3
Option 3 results in automatic activation by scanning a quick response (QR) code
with your mobile device camera to enter activation information. This option is
intended for use when your mobile device is not connected to the Internet. Go
to Step 4.
Option 4 displays activation information that you enter in your soft token identity
manually. Go to Step 5.
Option 5 lets you delay activation of your soft token until it is more convenient.
2 If you selected option 1, complete the following steps for automatic online
activation:
a Click Activate Soft Token.

b On the Activate Identity screen in the app, select Activate. (iOS version
shown.) The app might prompt you to confirm the activation.
The soft token is activated for the identity.

c Select OK to close the Success message.
d If prompted, choose a PIN and confirm it. You must enter this PIN whenever
you open the app.

e On the self-service Web site, select Next. The Web site confirms that the soft
token is activated. You can use the soft token to authenticate.
3 If you selected option 2, complete the following steps for automatic online
activation:
a Choose the email account to which Entrust IdentityGuard should send the
activation email, and then click Email.
Entrust IdentityGuard sends the activation email to your target device.
b Open the email on your target device.
c Select the link in the email. If there are two links, select the first one.
The app opens.
d If prompted, enter your PIN or unlock the app with Touch ID (iOS 6 or
newer). (You are prompted to unlock the app only if you already have an
active soft token in your app that requires PIN protection.)
e On the Activate Identity screen, select Activate.
The soft token is activated for the identity.
f Select OK to close the Success message.
g If prompted, choose a PIN and confirm it. You must enter this PIN whenever
you open the app.
h On the Self-Service Web site, select Next.
The Web site confirms that the soft token is activated. You can use the soft
token to authenticate.
4 If you selected option 3, complete the following steps for offline automatic
activation with a QR code:
a Open the Entrust IdentityGuard Mobile OTP app on the mobile device on
which you want to activate the soft token.
b Select Scan QR Code from the menu (Android) or select the QR Code icon
(iOS).

c Point the camera of the mobile device at the QR code so it appears in the
image guide. The guidelines turn green when the app has captured the QR
code data.
d On the Password Required dialog box, enter the password displayed in

Self-Service, and select OK.
On the Activation Summary screen, the activation information is displayed
in the soft token identity details.
e Select Activate.
f Select OK on the success message.
g If prompted, choose a PIN and confirm it. You must enter this PIN whenever
you open the app.
h On the self-service Web site, select Next. The Web site confirms that the soft
token is activated. You can use the soft token to authenticate.
5 If you selected option 4, complete the following steps for manual activation:
a Enter the serial number, activation code, and the Identity Provider address, if
provided, into Entrust IdentityGuard Mobile OTP app.
b If the soft token application generates a registration code, in Self-Service,
select Next, and then enter the registration code, as prompted.
The soft token is activated in Entrust IdentityGuard.
The following diagram illustrates manual soft token activation using the
Entrust IdentityGuard Mobile OTP app on a BlackBerry device.
After activation, you can begin using the soft token in the Entrust IdentityGuard
Mobile OTP app to authenticate.

Other soft token administration actions
If you have installed the Entrust IdentityGuard Mobile OTP app or Entrust
IdentityGuard Desktop Soft Token, several soft token options are available in
Self-Administration.
Some soft token-related actions are the same as hardware token actions, so read the
“Administering your hardware token” on page 57 for detailed instructions.
For more information about the user experience with desktop soft tokens, see the
application hep or the Entrust IdentityGuard Desktop Soft Token User Guide
(Windows or Mac version) available at
https://secure.entrust.com/trustedcare/products/index.cfm?level1=Entrust%20Ide
ntityGuard
For more information about using the Entrust IdentityGuard Mobile OTP app, see the
help within the app, of see the Entrust IdentityGuard Mobile OTP App User Guide.
Changing or recovering your Entrust IdentityGuard
password
Use this procedure to update or recover your Entrust IdentityGuard password.
To change your Entrust IdentityGuard password

2 In the Self-Administrative Actions screen, click I’d like to change my Entrust
IdentityGuard password.
The Password Change screen appears.

3 In Current Password, enter your currently active Entrust IdentityGuard password.
4 In New Password, enter a new password that meets the password rules set by
your company. Use the Password Rules panel on the right side of the screen to
guide you.
5 Click Submit.
Entrust IdentityGuard password change is successful.
To report that you have forgotten your Entrust IdentityGuard password
2 In the Self-Administrative Actions screen, click I’ve forgotten my Entrust
IdentityGuard password.
The Password Recovery screen appears.
3 Select the email account. Your Entrust IdentityGuard password will be sent to the
email account you select.
Note: When you first use your new password, you may be required to change it.
4 Click OK.

Entrust IdentityGuard password has been sent to the email account you selected.
Administering machine secrets
Machine secrets are used to identify your computer to Entrust IdentityGuard. When
this feature has been configured, you may not have to present log in credentials if
you have previously logged in successfully from the same machine.
When you view your machine secrets, you see a list of machines you have logged in
from in the past. You should save machine secrets only when using company or
personal computers.
If you think you may have saved information from a public machine, such as a
computer in an Internet cafe, you should delete the machine secret listed for that
computer so that others using that computer cannot log into your company’s
computer system.
To view or delete your machine secrets

2 In the Self-Administrative Actions screen, click I’d like to review my machine
secrets.

The Machine Secrets screen appears.
3 If you have accidentally saved a machine secret on a machine at an Internet cafe,

for instance, you may choose to delete the machine secret corresponding to that
machine.
If you cannot identify the machine secret you want to delete from its Machine
Label, review the Date Registered and the Last Used date to help you choose the
correct one.
a Select Delete for the machine entry you want to delete.
b Click OK.
c A confirmation dialog box appears.
d Click OK to continue deleting the machine secret.
An updated Self-Administration Actions screen appears, confirming that the
selected machine secret has been deleted.
Requesting new OTPs

From Self-Administration, you can have new OTPs delivered to an email address that
you specify. You can then use these OTPs on subsequent logins.
To request new OTPs

2 Click I’d like to receive a new one-time password (OTP).
3 Select an email address where the OTP will be sent.

Administering your smart credential
This section provides procedures for activating or unblocking a physical smart
credential.
Procedures for mobile smart credentials and derived mobile smart credentials are
documented in the following places:
Help:
• www.entrust.com/mobilesc/android-guide
• www.entrust.com/mobilesc/ios-guide
Online user guide:
• www.entrust.com/mobile/info/help/mobilesc/android
• www.entrust.com/mobile/info/help/mobilesc/ios
Depending on the configuration used by your company, you may not have to activate
your smart credential before you use it.
This topic includes:
• “To activate your physical smart credential” on page 87
• “To unblock your smart credential (Windows login scenario)” on page 94
To activate your physical smart credential

2 In the Self-Administrative Actions screen, click I’d like to activate or update my
smart credential.
3 On the Physical Smart Credential Activation Choice page, select I’m activating
a physical smart credential such as a plastic card or USB token, and then click
Next.

The Physical Smart Credential Activation Choice page appears.
4 Select one of the following options:

• Activate my physical smart credential by using a Java applet that runs in my
web browser.— This option can be used with Internet browsers that support
Java applets. Go to step Step 5
Note: At October 2017, the only current browser that supports Java applets is
Microsoft Internet Explorer 11.0. Older versions of Internet Explorer can also be
used. Support for Java applets was removed from Google Chrome at version 45
and from Mozilla Firefox at version 52
• Activate my physical smart credential by using the Entrust Entelligence

Security Provider (ESP) application installed on my computer.— Use this
option if directed by your administrator (or if you know that you have ESP
installed on your computer). Go to step Step 10.
5 Insert your smart credential into the reader, and then click Next.
6 A security warning asks you to allow access to the smart credential. Click Yes.
7 Self-Service asks you to confirm that you want to activate your smart credential.
Click Yes.
The Smart Credential Encoding page appears.

The Self-Administration Actions page confirms when encoding is complete, and
displays your smart credential PIN.
If configured by your administrator, the PIN can also be sent to another

destination, such as an email address.
8 Record your PIN.
9 Click Done.
Your physical smart credential is ready to use.
10 After you select the option to activate your smart credential using ESP, insert your
smart credential into the reader, and then click Next.
11 Click Activate Smart Credential Using ESP.

A dialog might ask for permission to run the Entrust Entelligence Security Provider
application.
12 Click Allow.
The Entrust Encode Smart Card dialog box appears.
13 Click OK to begin encoding the smart credential.

The dialog box reminds you not to remove your smart card while it is being
encoded.

A message indicates when encoding is complete, and then the Insert Entrust
Smart Card dialog box appears.
14 Remove your smart credential from the reader and then reinsert it so that your
computer recognizes your smart credential.
15 Click Done on Self-Service Web page.

Your physical smart credential is ready to use.
To unblock your smart credential (Windows login scenario)
1 If you entered an incorrect smart credential PIN too many times when trying to
log in to Windows, the PIN becomes blocked. To unblock it, log in to Self-Service.
See “To log in to Self-Service” on page 32.
2 In the Self-Administrative Actions screen, click I’d like to unblock my smart
credential.
A confirmation appears.
3 Click Yes.
4 You might be asked to make the following choice:
• Card Unblocking Key— Choose this option if your PIN is blocked for
Windows login on Windows 8 or later, then click Yes to continue.
• Window 7 PIN Unblock— Choose this option if your PIN is blocked for
Windows 7 login, then enter the 16-character challenge displayed on your
Windows login screen, and then click OK.

The Self-Administration Actions page displays a banner that contains the
unblocking key.
5 Enter the response code in the Windows Smart Card logon dialog box.
Your smart credential PIN is unblocked.
6 Enter a new PIN in the New PIN text box, and repeat it in the New PIN
Confirmation text box.
7 Click the arrow icon to log in with your new PIN.
Reset your physical smart credential PIN

You should change your PIN if someone else has learned it, if a default PIN was set
when you received your smart credential, or if periodic PIN change is a policy of the
organization that issued your smart credential, or if you have forgotten it.
If smart credential PIN reset is enabled on your system, the Self-Service login page
includes a link with wording like Forgot your smart credential PIN? You click that link
to initiate the PIN reset process.
There are two ways to reset your PIN through Self-Service:
• “To reset your smart credential PIN using a Java-enabled browser” on
page 96
• “To reset your smart credential PIN using ESP” on page 99
To reset your smart credential PIN using a Java-enabled browser
Note: At October 2017, the only current browser that supports Java applets is
Microsoft Internet Explorer 11.0. Older versions of Internet Explorer can also be
used. Support for Java applets was removed from Google Chrome at version 45
and from Mozilla Firefox at version 52.
1 Open Microsoft Internet Explorer, version 11, or an older version. Currently, this
is the only browser (or one of very few) that continue to support the use of Java
applets).
2 Insert your smart card into the card reader or insert your USB smart credential into
a USB slot.
3 Go to your Self-Service page.
4 On the Self-Service login page, click the Forgot your smart credential PIN? link.
The Smart Credential PIN Reset page appears. If more than one PIN reset
method is supported, you might be asked to choose the method you want to
change your PIN.
5 Select Reset my physical smart credential PIN using a Java applet that runs in
my web browser.
6 Self-Service presents one or more authentication challenges. They could be any
of several types of challenges. Some are described in the examples that follow.
Respond to the challenge to authenticate.
Examples of authentication challenges
Mutual authentication and grid card: If you have a grid card, you might see a
grid card challenge. In this case, it is paired with a mutual authentication

challenge. If you recognize the image and the label that you chose when you
registered for Self-Service, enter the requested values from your grid card.
Push authentication: If you have an Entrust IdentityGuard mobile app, an

authentication challenge might be sent to your mobile device. In this case, open
the app, select the notification, and select the Confirm button to complete the
authentication.
After you successfully authenticate, the Smart Credential PIN Reset page
appears.

7 Enter your new PIN and then enter it again to confirm it. The PIN must satisfy the
rules listed on the window.
8 Click OK.
9 Self-Service confirms that the PIN was reset successfully.
10 Click Done.
To reset your smart credential PIN using ESP

1 In a browser, go to your Self-Service page.
2 On the Self-Service login page, click the Forgot your smart credential PIN? link.
The Smart Credential PIN Reset page appears. If more than one PIN reset
method is supported, you might be asked to choose the method you want to
change your PIN.
3 Select Reset my physical smart credential PIN using the Entrust Entelligence
Security Provider (ESP) application installed on my computer.
4 Enter your user name, and then click Next.




authentication.
After you successfully authenticate, the Smart Credential PIN Reset using ESP
page appears.
6 Click the Smart Credential PIN Reset using ESP button.

The Entrust Entelligence Security Provider for Windows application opens.

7 If you have more than one smart credential, ESP displays a list. Select the smart
credential for which you want to change the PIN from the list presented.
8 Insert your smart card into the card reader or insert your USB smart credential into
a USB slot, and then click OK.

9 On the Reset Entrust Smart Card PIN window, enter your new PIN and then
enter it again to confirm it. The PIN must satisfy the rules listed on the window.
10 Click OK.
A dialog box confirms that the PIN was reset successfully.
11 Click OK to close the confirmation dialog box, then click OK again to close the
ESP application.

Administering your digital ID
A digital ID is a collection of information that represents a user (you). Like a passport,
the digital ID can be used as an official proof of identity because it has received a
stamp of approval by a trusted third-party. In cryptographic terms, this trusted
third-party is called a Certification Authority (CA), and the "stamp of approval" is
actually the CA’s digital signature.
The digital ID includes, among other things, one or more certificates and private keys
that can be used to perform cryptographic operations like authenticating to a
network, or applying a digital signature to an email.
This section provides a step-by-step list of screens that you will see when you request
a digital ID. Consult the section appropriate to the mobile device you are using. If
your device is not listed, pick the procedure corresponding to the device that most
closely resembles yours.
Note: If your device asks you for a password during the digital ID request
process, make one up.
• “To request a digital ID — Android — Samsung Galaxy Tab — network

access” on page 106
• “To request a digital ID — Android — Samsung Galaxy Tab — secure email”
on page 110
• “To request a digital ID — Apple iPad — network access” on page 115
• “To request a digital ID — Apple iPad — secure email” on page 121
• “To request a digital ID — BlackBerry Torch — network access” on page 128
• “To request a digital ID — BlackBerry Torch — secure email” on page 135
• “To request a digital ID — BlackBerry PlayBook — network access” on
page 142
• “To request a digital ID — BlackBerry PlayBook — secure email” on
page 147
• “To request a digital ID — Windows Mobile — Samsung Omnia II —
network access” on page 152
• “To request a digital ID — Windows Mobile — Samsung Omnia II — secure
email” on page 157

To request a digital ID — Android — Samsung Galaxy Tab — network access
2 In the screens that follow, click the circled items, or enter information into the
circled fields.

To request a digital ID — Android — Samsung Galaxy Tab — secure email
circled fields.

To request a digital ID — Apple iPad — network access
circled fields.

Note: Depending on how your administrator configured your system, the screen
above may be different. It may include fields in which to specify a SCEP profile
password, and the Download Digital ID button may appear on a subsequent
screen.

To request a digital ID — Apple iPad — secure email
circled fields.

To request a digital ID — BlackBerry Torch — network access
circled fields.

To request a digital ID — BlackBerry Torch — secure email
circled fields.

To request a digital ID — BlackBerry PlayBook — network access
circled fields.

You have now downloaded the certificates. You must now import them to the
appropriate location onto the PlayBook, as follows.

3 Connect your PlayBook to your computer’s USB port. Ensure that the computer
has BlackBerry Desktop Software installed.
4 On your PlayBook, press the Settings cog wheel, on the top-right.
5 Under About, select Network.
6 Note the IP address. It looks something like 169.254.25.121
7 On your computer, open the BlackBerry Desktop Software.
8 On the left navigation bar, click Files.
9 From the main pane, click Get Started, if this button is available.
10 Go to the Device > downloads folder. You see at least two files with .cer or .p12
file extensions.
11 Select the CA certificate and your digital ID certificate that you just obtained from
Self-Service. Select both by clicking the first one, and then pressing the Shift key
while clicking the second one.
Both certificates are now selected.
12 Copy both files to the clipboard by right-clicking anywhere in the BlackBerry
Desktop Software’s main pane, and selecting Copy from the pop-up menu.
13 On your computer, click Start > Run.
14 Enter the IP address, preceding it with \\, like this:
\\169.254.25.121
Click OK. A Windows Explorer window appears, showing a certs folder, and
possibly other folders.
15 Paste both certificates into the certs folder by right-clicking anywhere in the
folder and selecting Paste.
16 Back in your PlayBook, press the Settings cog wheel, and then select Security
from the left navigation bar.
17 From the main pane, select Certificates.
18 Select each certificate that you just pasted to the certs folder, and click Import.
The certificates that you obtained from Self-Service are now imported onto the
BlackBerry PlayBook, and are ready for use.

To request a digital ID — BlackBerry PlayBook — secure email
circled fields.

You have now downloaded the certificates. You must now import them to the
appropriate location onto the PlayBook, as follows.
3 Connect your PlayBook to your computer’s USB port. Ensure that the computer
has BlackBerry Desktop Software installed.
4 On your PlayBook, press the Settings cog wheel, on the top-right.
5 Under About, select Network.
6 Note the IP address. It looks something like 169.254.25.121
7 On your computer, open the BlackBerry Desktop Software.
8 On the left navigation bar, click Files.
9 From the main pane, click Get Started, if this button is available.
10 Go to the Device > downloads folder. You see at least two files with .cer or .p12
file extensions.
11 Select the CA certificate and your digital ID certificate that you just obtained from
Self-Service. Select both by clicking the first one, and then pressing the Shift key
while clicking the second one.
Both certificates are now selected.
12 Copy both files to the clipboard by right-clicking anywhere in the BlackBerry
Desktop Software’s main pane, and selecting Copy from the pop-up menu.
13 On your computer, click Start > Run.
14 Enter the IP address, preceding it with \\, like this:

\\169.254.25.121
Click OK. A Windows Explorer window appears, showing a certs folder, and
possibly other folders.
15 Paste both certificates into the certs folder by right-clicking anywhere in the
folder and selecting Paste.
16 Back in your PlayBook, press the Settings cog wheel, and then select Security
from the left navigation bar.
17 From the main pane, select Certificates.
18 Select each certificate that you just pasted to the certs folder, and click Import.
The certificates that you obtained from Self-Service are now imported onto the
BlackBerry PlayBook, and are ready for use.
To request a digital ID — Windows Mobile — Samsung Omnia II — network access

circled fields.

To request a digital ID — Windows Mobile — Samsung Omnia II — secure email

circled fields.

Administering location history
Your current IP address will be checked against previous IP addresses from which you
have logged in, if allowed by Entrust IdentityGuard policy.
When this feature is enabled, Entrust IdentityGuard keeps a list of these locations in
the form of IP addresses.
If you have logged in from a location you would like to remove from the list, use the
following procedure.
To view or delete your location history entries

2 In the Self-Administrative Actions screen, click I’d like to review my location
history.

The Location History screen appears.
3 If you have authenticated from a location you do not plan to visit again, you may
choose to delete the location history entry corresponding to that location.
Review the City and the Last Authentication date to help you choose the correct
entry.
a Select Delete for the location entry you want to delete.
b Click OK.
A confirmation dialog box appears.
c Click OK to continue deleting the location history entry.

An updated Self-Administration Actions screen appears, confirming that the
selected location history entry has been deleted.
4 Click Done to end your self-administration session.

Reset your Entrust IdentityGuard password from the
Self-Service login page
If you usually log in to Self-Service with your Entrust IdentityGuard password, but you
have forgotten your password, you can initiate the password reset procedure from
the login page. To complete this procedure, you need to use other valid
authenticators to verify your identity. (This feature will not be available unless your
system administrator has configured it.)
To reset your Entrust IdentityGuard password from the Self-Service login page
1 Navigate to the Self-Service website.
2 Select the Forgot your password? link.
3 Enter the user name for your account.

4 If you usually log in as a member of a specific group, enter the group name in the
Group text box.


authentication.
After you successfully complete the challenges, Self-Service displays a page

where you can change your password or have a temporary password mailed to
you. (After you authenticate with your temporary password, you must reset your
password.)
6 Reset your password, being sure to satisfy all of the password rules.
7 Click Done on the Self-Service page.
Unlock your Active Directory account or reset your Active

Directory password from the Self-Service login page
You might need to complete this procedure in scenarios like these ones:
Scenario 1: Account unlock

You changed the login password on your computer (your Active Directory corporate
domain password). You didn’t remember to update the password on the mail
application on your mobile phone. The mobile phone logs in to the mail server every
15 minutes to get new messages. The login fails because the password has changed.
After a certain number of failed login attempts, the account is locked. Next time you
try to log in to your computer, you find the account is locked.

Scenario 2: Password reset
You have forgotten your Active Directory corporate domain password. You cannot
log in to your computer.
To unlock or reset your Active Directory corporate domain password from the
Self-Service login page
1 Using a browser on a computer that is not locked or on a mobile device, navigate
to the Self-Service website.
2 Select the Password locked or forgotten? link. This link appears if you use your
Active Directory password to log in to Self-Service.
At this point, Self-Service doesn’t know whether you need to unlock your
account or reset your password. It shows the Password Reset page, but it is part
of the workflow for unlocking the account, too.
3 On the Password Reset page, enter the user name for your account.

4 If you usually log in as a member of a specific group, select the group from the
Group drop-down list, and then click OK.
5 Self-Service displays one or more authentication challenges. Complete the

challenges.
This example shows a mutual authentication challenge and a grid card challenge.

After you successfully complete the challenges, Self-Service unlocks your Active
Directory account if it was locked. A message confirms that the account has been
unlocked. The message also asks if you want to change your password.
6 In Scenario 1 described above, you do not want to change your password (you
have already changed the password on your computer and just need to update
it on your mobile device). In this case:
a Select No.
Self-Service displays the login page again. Now that your Active Directory
corporate account is unlocked, you can log in with the password you
updated earlier on your computer (Scenario 1).
b To complete the scenario, you would change the password on your mobile
device email application or on any other device where it is not up to date to
prevent the Active Directory corporate domain account becoming locked
again.
OR
7 In Scenario 2, you want to reset your password because you have forgotten it.
a On the page that confirms that your account is unlocked and asks if you
want to change your password, select Yes.
Self-Service displays a page where you can change your password or have a
temporary password mailed to you. (After you authenticate with your temporary
password, you must reset your password.)
b Reset your password, being sure to satisfy all of the password rules.
c Click Done on the Self-Service page.


Self-Service Module 12.0 User Guide: Entrust® Identityguard

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Self-Service Module 12.0 User Guide: Entrust® Identityguard

Uploaded by

Copyright:

Available Formats

Entrust® IdentityGuard

Self-Service Module 12.0

Document issue: 4.0

Date of issue: November 2018

Entrust is a trademark or a registered trademark of Entrust,

This information is subject to change as Entrust reserves

Export and/or import of cryptographic products may be

2 Self-Service Module 12.0 User Guide

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Entrust IdentityGuard Self-Service application overview. . . . . . . . . . . . . . . . .13

Self-registration walk-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Self-administration walk-through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

4 Self-Service Module 12.0 User Guide Document issue: 4.0

About this guide

Document issue Section Description

6 Self-Service Module 12.0 User Guide Document issue: 4.0

Document issue Section Description

About this guide 7

Table 2: Typographic conventions

Convention Purpose Example

Note and Attention text

Attention: Issues that, if ignored, may seriously affect performance, security, or

8 Self-Service Module 12.0 User Guide Document issue: 4.0

About this guide 9

10 Self-Service Module 12.0 User Guide Document issue: 4.0

About this guide 11

Entrust IdentityGuard Self-Service

Note: Entrust IdentityGuard Self-Service Module supports Google Chrome™,

What you can do

14 Self-Service Module 12.0 User Guide Document issue: 4.0

Password reset and unlock

Entrust IdentityGuard Self-Service application overview 15

16 Self-Service Module 12.0 User Guide Document issue: 4.0

Registering using Self-Service

Note: The following is an example of the sequence of steps you follow to

• “To log in to Self-Service for registration” on page 19

Note: Entrust IdentityGuard Self-Service Module supports Google Chrome™,

18 Self-Service Module 12.0 User Guide Document issue: 4.0

To log in to Self-Service for registration

The page displays text in the selected language

Login method Steps to log in

OTP login 1 If your administrator has sent you

20 Self-Service Module 12.0 User Guide Document issue: 4.0

Entering your personal information

To enter your personal information

22 Self-Service Module 12.0 User Guide Document issue: 4.0

Selecting your mutual authentication image and phrase

24 Self-Service Module 12.0 User Guide Document issue: 4.0

2 Click on your chosen image.

Entering questions and answers for Q&A authentication

To enter your questions and answers

2 Depending on the Self-Service configuration, you may be required to define one

26 Self-Service Module 12.0 User Guide Document issue: 4.0

Note: Entrust IdentityGuard may be configured to require Personal Verification

5 Answer the authentication challenge presented to you.

28 Self-Service Module 12.0 User Guide Document issue: 4.0

6 Proceed to “Self-administration walk-through” on page 31 to begin

Using soft tokens with the Entrust IdentityGuard Mobile

To download and activate Entrust IdentityGuard soft tokens

30 Self-Service Module 12.0 User Guide Document issue: 4.0

The page displays text in the selected language

32 Self-Service Module 12.0 User Guide Document issue: 4.0

Login method Steps to log in